Municipality of Thiene – €3,000 Fine (Italy, 2022)

The municipality (the controller) published on its online Public Notice Board, as well in a press release, information about the data subject's dismissal from work. The publication contained a matriculation number, which made the data subject identifiable. Subsequently, the data subject decided to file a complaint with the Italian DPA. The DPA initiated proceedings and requested more information from the controller. The controller argued that the information had been put through pseudonymisation first and only employees knew how to decrypt it. Furthermore, the online Notice Board was not indexed in search engines. With regards to the press release, the controller argued that the text was anonymous and did not allow for the identification of the data subject. Firstly, the Italian DPA held that the dissemination of personal data (such as publications on the Internet) by public entities is permitted, when provided for by law. Secondly, the matriculation number is considered an identification number, as it allows third parties to trace the identity of the data subject, and not authorised personnel only. Consequently, the DPA held that a matriculation number on online publications falls under the definition of "personal data" in Article 4(1) GDPR. The DPA reminded the controller that, as defined in Recital 26 GDPR, pseudonymisation is a mere technical measure and still makes it possible to trace the identity of a data subject in an indirect way or through use of additional information. With regards to the press release, the DPA held that there was no derogation from the principles on the protection of personal data. The DPA also reiterated that the principles of lawfulness and data minimisation apply to publication on online public notice boards, as clarified in the [https://www.garanteprivacy.it/home/docweb/-/docweb-display/docweb/1803707 "Guidelines on the processing of personal data, also contained in administrative acts and documents, carried out for the purpo